The auction site’s huge security breach offers criminals the chance to make a
fortune. Should internet companies do more to protect us?

Some of the numbers involved in the eBay security breach reported this week are so large that they are difficult to grasp. Up to 233 million people have had their personal details stolen – their telephone numbers, their names, their postal and email addresses, their dates of birth and the passwords to their accounts. Of those 233 million, 15 million were eBay customers in Britain.

The exact circumstances of how such a huge security lapse has happened are not yet fully known. What is certain is that eBay has handled the loss of data extremely poorly, with experts and MPs castigating the company for what appeared to be serious delays in informing their customers after the initial breach at the end of February. Worse, yesterday – after telling customers to change their passwords with immediate effect – eBay’s systems crashed as people tried and failed to do as instructed.

The incident has shone a spotlight once again on the amount of information held by internet companies. And it has caused yet further confusion about what exactly customers can do to protect themselves.

One curiosity about the scale of eBay’s data breach (10 times as big as the infamous Department of Work and Pensions missing disk scandal), is how this company became so large. Many may think of eBay as a rather fun auction site, where you can offload those unwanted Christmas presents and pick up second-hand children’s cots. It still serves this purpose – I’ve known dinner parties interrupted as normally polite adults check their phones to see if their bid for a lampshade has been accepted. But it is more, too.

“They are now a fully fledged retail platform,” says Neil Saunders, retail analyst at Conlumino, a consulting firm. “They are a significant player, and in terms of customer numbers they are easily a top 10 player in the clothing market.” In part, that is because the likes of Argos, Asos, Debenhams and House of Fraser use eBay as an alternative platform to target online shoppers with new products. Patrick O’Brien of Verdict, a retail research firm, estimates that £6 billion of sales go through eBay each year.

What makes the eBay security breach so worrying is that the company also owns PayPal, the payment system that boasts of its security and convenience, and which is used by many other websites. But eBay says that PayPal is run on a different system and has not been breached. However, as many customers use the same password for both sites, they will need to change their PayPal password, too.

Graham Cluley, a leading online security consultant, says: “eBay is saying that there is no evidence that any financial information has been leaked. But that always makes me a little bit nervous. It is hard for them to be 100 per cent certain when something is missing. It’s not like someone stealing the Mona Lisa and suddenly there is a gap on the wall.”

There are quite a few very reputable retailers that have managed to lose customers’ bank account information, most notably Target, the huge American supermarket chain. At the end of last year, hackers stole details of 40 million of its customers, including their credit card details and pin numbers. Many banks chose to reissue customers with new cards.

But experts say people should still take the data breach at eBay seriously, even though it has not lost their bank account details. To understand why, you need to trace what happens to the data after it leaves the company and enters hackers’ hands.

In some cases, the hackers grab the data for the sheer thrill of beating the system. In these instances, the thief usually boasts about it on the internet within 24 hours, but experts say this sort of breach is increasingly rare. In most cases, the data is stolen with criminal intent. “The data is most likely being sold on underground marketplaces – basically an underground version of eBay,” Cluley says. Oh, the irony.

Estimates for how much an individual’s basic information is worth vary from £1 to about £30, depending on whether it comes with a password. In eBay’s case, the company managed to encrypt the passwords, but none of the other personal details. Brendan Rizzo, technical director of Voltage Security, says: “Everything should be encrypted. But it would seem that eBay took very much a tick-box compliance approach to protecting users’ data.”

A criminal can do very little with the data directly – though in theory they could commit full-scale identity theft with the basic details of your date of birth, postal address and email. This is the stuff of digital nightmares – an alternative online version of you prowling the world wide web, setting up accounts in your name and racking up a bad credit score.

In practice, this is unlikely to happen. Without bank account details there is limited direct damage they can do. However, a criminal can still cause huge indirect damage by sending out millions upon millions of spam emails. And this is the most common way your stolen data ends up being used.

“If I had access to 100 million email addresses, I would spam them,” Cluley says. “I would send them a convincing-looking email with their name, date of birth or other information to make it look plausible and contain within that email a link to a malicious website, or an attachment, which causes your computer to become infected.”

These are not the Viagra offers or Nigerian begging letters that are often comically incompetent attempts to make us part with cash. Because they contain enough basic information, there is a chance that a few recipients – and it only needs a few to be successful – will click on the link.

By doing so, you can leave your computer open to becoming a hunting ground for criminals higher up the food chain, because by clicking you have usually inadvertently installed dodgy software, such as Adware. This is what can cause annoying pop-up adverts to flash up on your screen. Every time you click on one, the criminal will be taking a tiny slice of the revenue.

Malware or keylogger software can be far more dangerous, allowing criminals to monitor every key you type and, ultimately, work out all your passwords for online accounts, and your email, bank and insurance company details.

The most dangerous are “spear phishing” attacks, which are highly personalised emails designed to trick even savvy computer users. Chris Boyd, analyst at Malwarebytes, explains: “Say, on Twitter, I see you complaining about some poor service with a particular bank, and I can see you are a customer with them. I then take the information from this eBay attack and I can then construct a wonderfully crafted email purporting to come from your bank. Before you know it, you have handed over your account details.”

All experts have implored customers to change the passwords for their eBay accounts and any other website that uses the same password – because though they are encrypted the codes could be broken.

However, many users will feel a sense of ennui that, yet again, they have to change their passwords after another data breach, and even if they do, this is no more than damage limitation. The details have been stolen and changing passwords will not stop the phishing attacks.

Online criminal activity is not going to go away. Currently, just 12.5 per cent of our retail spend is over the internet, but this will steadily increase, providing an ever more tempting target for criminals. While violent crime and robberies are declining, online fraud jumped last year. The last time the Government tried to estimate the annual cost of online crime, back in 2011, it put the figure at £27 billion, but a recent Home Affairs Select Committee report suggested this was a wild underestimate.

What makes cyber crime so pernicious is that it is impossible for anyone to link the eBay data breach – or any other data breach – directly with a consumer being out of pocket. But last night the personal details of 715 individuals were advertised for sale online in one of the murkier corners of the internet. The data appeared to come from the eBay security breach and looked to be an attempt by a hacker to attract potential criminal buyers.

You might not directly be a victim, but someone, somewhere will be making an awful lot of money out of all that information.